开发者

How to Protect Sensible Passwords stored in a Database

I'm developing a web application for which final users have to create an account. This part is very easy: I'll hash their passwords with SHA-256 so that nobody, except the user himself, knows the password. Now comes the difficult part. After the user creates an account, he/she has to provide the password of his/her email server. Now the question is: how can I protect this password decently (the password will be stored in a database)? If I encrypt the password wi开发者_JS百科th TripleDES, any developer or system administrator would be able to decrypt the password and see it. What is the usual way to deal with such a problem? Many Thanks.


The usual way to do this is to use an symmetric encryption key which is derived from the user's password. The standard way to do this is using the algorithm specified in RFC2898, which generates a set of cryptographically secure bytes you can use as a key and IV. It's probably supported by a library for your language, .NET for example, which is what I use has the Rfc2898DeriveBytes class.

Of course when your user changes their password you will have to decrypt any existing cipher text and then derive the new key and re-encrypt.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜